nexpose-client-python icon indicating copy to clipboard operation
nexpose-client-python copied to clipboard
verified publisher icon rapid7

lxml vulnerable to quadratic blowup

Open nleve opened this issue 8 years ago • 1 comments

Parsing XML from sources you don't control opens the door for multiple XML parser vulnerabilities. lxml prevents some, but not all, with quadratic blowup being one of them. Switching to defusedxml would fix this.

Expected Behavior

nexpose-client-python should avoid entity expansion when parsing incoming XML.

Current Behavior

nexpose-client-python may open up the user to XML parser vulnerabilities if pointed at a fake nexpose instance.

Possible Solution

Use defusedxml, which is a drop-in replacement for lxml.

nleve avatar Nov 20 '17 02:11 nleve

From the documentation on defusedxml it seems like it's not necessarily a complete drop-in replacement. I may need to look into it some more, though.

For now I feel that this is a fairly low priority issues since risk of attack is very low. That said if someone comes in with a pull request I won't turn them away.

gschneider-r7 avatar Nov 20 '17 19:11 gschneider-r7